Closed Bug 1129224 Opened 10 years ago Closed 10 years ago

MediaPromise can release the target object in a different thread than it was created on

Categories

(Core :: Audio/Video, defect)

Product:
Core
Component:
Audio/Video
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla38
Tracking Flags:
Tracking Status
firefox36 --- wontfix
firefox37 --- fixed
firefox38 --- fixed

People

(Reporter: jya, Assigned: jya)

References

(Blocks 1 open bug)

Details

Attachments

(1 file, 1 obsolete file)

Ensure the target is always unref in the target thread. r:bholley
2.02 KB, patch
lmandel
: approval-mozilla-aurora+
Details | Diff | Splinter Review
Under some circumstances (if the MediaPromise was disconnected by the MediaPromiseConsumerHolder), it is possible that the callee gets released in the thread resolving/rejecting the promise. This can cause undefined behaviour or assert error should the callee not marked as thread-safe Here is one backtrace example: 21:17:01 INFO - Hit MOZ_CRASH(DOMEventTargetHelper not thread-safe) at /builds/slave/try-lx-d-000000000000000000000/build/src/dom/events/DOMEventTargetHelper.cpp:76 21:17:01 INFO - #01: mozilla::DOMEventTargetHelper::Release() [dom/events/DOMEventTargetHelper.cpp:75] 21:17:01 INFO - #02: mozilla::dom::SourceBuffer::Release() [dom/media/mediasource/SourceBuffer.cpp:625] 21:17:01 INFO - #03: mozilla::MediaPromise<bool, tag_nsresult, false>::ThenValue<nsIThread, mozilla::dom::SourceBuffer, void (mozilla::dom::SourceBuffer::*)(bool), void (mozilla::dom::SourceBuffer::*)(tag_nsresult)>::~ThenValue() [xpcom/base/nsRefPtr.h:59] 21:17:01 INFO - #04: mozilla::MediaPromise<bool, tag_nsresult, false>::ThenValue<nsIThread, mozilla::dom::SourceBuffer, void (mozilla::dom::SourceBuffer::*)(bool), void (mozilla::dom::SourceBuffer::*)(tag_nsresult)>::~ThenValue() [memory/mozalloc/mozalloc.h:233] 21:17:01 INFO - #05: mozilla::MediaPromise<bool, tag_nsresult, false>::Consumer::Release() [dom/media/MediaPromise.h:92] 21:17:01 INFO - #06: nsTArray_Impl<nsRefPtr<mozilla::MediaPromise<bool, tag_nsresult, false>::ThenValueBase>, nsTArrayInfallibleAllocator>::RemoveElementsAt(unsigned int, unsigned int) [xpcom/glue/nsTArray.h:1700] 21:17:01 INFO - #07: nsTArray_Impl<nsRefPtr<mozilla::MediaPromise<bool, tag_nsresult, false>::ThenValueBase>, nsTArrayInfallibleAllocator>::Clear() [xpcom/glue/nsTArray.h:1406] 21:17:01 INFO - #08: mozilla::MediaPromise<bool, tag_nsresult, false>::DispatchAll() [dom/media/MediaPromise.h:369] 21:17:01 INFO - #09: mozilla::MediaPromise<bool, tag_nsresult, false>::Reject(tag_nsresult, char const*) [dom/media/MediaPromise.h:356] 21:17:01 INFO - #10: mozilla::MediaPromiseHolder<mozilla::MediaPromise<bool, tag_nsresult, false> >::Reject(tag_nsresult, char const*) [xpcom/base/nsRefPtr.h:44] 21:17:01 INFO - #11: mozilla::TrackBuffer::Shutdown() [mfbt/RefPtr.h:245] 21:17:01 INFO - #12: mozilla::MediaSourceReader::ContinueShutdown() [dom/media/mediasource/MediaSourceReader.cpp:391] 21:17:01 INFO - #13: mozilla::MediaSourceReader::Shutdown() [dom/media/mediasource/MediaSourceReader.cpp:382] 21:17:01 INFO - #14: mozilla::MediaDecoderStateMachine::ShutdownReader() [dom/media/MediaDecoderStateMachine.cpp:2705] 21:17:01 INFO - #15: nsRunnableMethodImpl<void (mozilla::MediaDecoderStateMachine::*)(), void, true>::Run() [xpcom/glue/nsThreadUtils.h:386] 21:17:01 INFO - #16: mozilla::MediaTaskQueue::Runner::Run() [dom/media/MediaTaskQueue.cpp:237] 21:17:01 INFO - #17: nsThreadPool::Run() [xpcom/threads/nsThreadPool.cpp:225] 21:17:01 INFO - #18: nsThread::ProcessNextEvent(bool, bool*) [xpcom/threads/nsThread.cpp:855] 21:17:01 INFO - #19: NS_ProcessNextEvent(nsIThread*, bool) [xpcom/glue/nsThreadUtils.cpp:265] 21:17:01 INFO - #20: mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) [ipc/glue/MessagePump.cpp:340] 21:17:01 INFO - #21: MessageLoop::RunInternal() [ipc/chromium/src/base/message_loop.cc:233] 21:17:01 INFO - #22: MessageLoop::Run() [ipc/chromium/src/base/message_loop.cc:508] 21:17:01 INFO - #23: nsThread::ThreadFunc(void*) [xpcom/threads/nsThread.cpp:358] 21:17:01 INFO - #24: _pt_root [nsprpub/pr/src/pthreads/ptthread.c:215]
As discussed on IRC. Ensure the target is released on the target thread, even if the promise had been disconnected.
Attachment #8558830 - Flags: review?(bobbyholley)
Assignee: nobody → jyavenard
Status: NEW → ASSIGNED
Comment on attachment 8558830 [details] [diff] [review] Ensure the target is always unref in the target thread. r:bholley Review of attachment 8558830 [details] [diff] [review]: ----------------------------------------------------------------- r=me with that fix. ::: dom/media/MediaPromise.h @@ +253,5 @@ > Consumer::mComplete = true; > + // Null these out before returning so that any references are > + // released predictably on the target thread. Otherwise, they would be > + // released on whatever thread last drops its reference to the ThenValue, > + // which may or may not be ok. "These" is ambiguous here. Leave this comment where it was... @@ +258,3 @@ > if (Consumer::mDisconnected) { > PROMISE_LOG("ThenValue::DoResolve disconnected - bailing out [this=%p]", this); > + mResponseTarget = nullptr; ...and immediately above this line, say: // Null these out for the same reasons described below. @@ +272,5 @@ > Consumer::mComplete = true; > + // Null these out before returning so that any references are > + // released predictably on the target thread. Otherwise, they would be > + // released on whatever thread last drops its reference to the ThenValue, > + // which may or may not be ok. Same thing here.
Attachment #8558830 - Flags: review?(bobbyholley) → review+
We actually probably don't need this on 36 if we don't ship MSE there, since we currently only do disconnects in MediaSourceReader.
Attachment #8558830 - Attachment is obsolete: true
https://hg.mozilla.org/mozilla-central/rev/669d5ac85dbf
Status: ASSIGNED → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla38
If MSE is disabled in beta, we don't care about this one. But it should be in 37...
Flags: needinfo?(giles)
Comment on attachment 8558867 [details] [diff] [review] Ensure the target is always unref in the target thread. r:bholley Approval Request Comment [Feature/regressing bug #]: MSE [User impact if declined]: Playback failures or crashes with video. [Describe test coverage new/current, TreeHerder]: Landed on m-c, green on aurora try. [Risks and why]: Risk is low. This is a straightword change to cleanup logic. [String/UUID change made/needed]: None.
Flags: needinfo?(giles)
Attachment #8558867 - Flags: approval-mozilla-aurora?
Comment on attachment 8558867 [details] [diff] [review] Ensure the target is always unref in the target thread. r:bholley Agreed. Straightforward change that is required for MSE. Aurora+
Attachment #8558867 - Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: